Caring About QUERVAR

We have received several reports and inquiries about the file infector PE_QUERVAR.B-O and its infected file, PE_QUERVAR.B. Both are getting some media attention, specifically in Europe, where reports have identified infections registering mostly in the Netherlands.

Its massive spreading may be explained by a couple of things:

It infects files commonly used and shared by users: MS Word (.doc, .docx), MS Excel (.xls, .xlsx), and .EXE (normal executable) files. Once a user opens an infected file, the malware automatically looks for other MS Word/MS Excel/EXE files that it will infect in the user’s computer.

It targets drives that DO NOT have System Volume Information. These are commonly mapped network drives and USB/removable drives. A shared drive gets the infection spreading pretty fast.

Once files are infected, QUERVAR renames the files and changes the file extension to .SCR, but the file icon remains the same. If the computer view is configured to hide file extensions and the user opens an infected file, nothing will happen and the file will not be opened.

Note that manually renaming the file will not work. Infected files are also encrypted by QUERVAR, adding difficulty to cleaning and restoring. While some are taking this as a sign that this is ransomware, our analysis so far hasn’t shown that to be the case. We’re not sure why these are encrypted but are continuing to research that.

Trend Micro products detect both file infectors via the Smart Scan Pattern 9.311.00. It automatically deletes PE_QUERVAR.B-O. Updates will further be posted in this blog entry.

Update as of 6:28 PM PST

Trend Micro customers are encouraged to update their patterns to 9.313.00. PE_QUERVAR.B infected files are restored to its usable state by this pattern.

Update as of August 15, 3:59 PM PST

We saw reports that Citadel Zeus variants were observed to download QUERVAR. While we were unable to confirm this, we analyzed {BLOCKED}.{BLOCKED}.162.163, the IP address which is said to host QUERVAR and Citadel Zeus. Based on our Smart Protection Network, we found out that it also hosts Hermes (detected by Trend Micro as TROJ_GATAKA.AI), which is downloaded by QUERVAR. This leads us to conclude that certain variants of Citadel ZeuS, Hermes and QUERVAR may be coming from a single threat actor.

Trend Micro also blocks the related IP addresses.

Update as of August 16, 10:48 PM PST

The Hermes malware mentioned in the above update is now detected as BKDR_GATAKA.A.